Why you're not investing enough in IT security

The Australian Bureau of Statistics, Australian Red Cross, British Airways, Home Depot, Kmart, Last Pass, LinkedIn, Sony Pictures, Target, and Yahoo. What do all these companies have in common?

They are just a small portion of the growing number of organisations that have been hacked or had their data or security breached and consequently exposed the personal and in several cases, financial information of millions of customers.

Recently, Red Cross Australia revealed that over half a million blood donor records had been compromised. I was actually impressed with the Red Cross’ ‘front foot’ approach to the breach.

Other companies should take note. Nevertheless, if you’ve ever donated blood at the Red Cross, you know external parties could now have access to some extremely personal information.

Then there is the travesty of the Australian Census debacle. The ABS told Australians that their data was safe following a denial of service attack on Census night last year. Prime Minister, Malcolm Turnbull, blamed IBM for the failure and also criticised the agency, saying it "put too much faith in IBM" and should have better managed its contract with the company.

And believe me, the problem is only going to get worse as businesses become increasingly connected and more services head into the cloud. Add to this the increasing number of employees introducing devices and wearable technology into the business network and it’s easy to see why businesses are so vulnerable to security breaches.

While IT and data security was once the exclusive domain of IT departments, it has now moved from the server room to the boardroom, with most global CEOs (87 per cent) and Fortune 500 leaders concerned about cyber security and the effect a major security breach will have on their business.

Ok, so we all agree that IT security is a major issue facing all companies. But what has brought on the change? For such a complicated and widespread problem, the reason is actually quite simplistic: budget.

In the 20-plus years that I’ve been involved in the IT industry, I have consistently seen companies make the same mistakes – they choose to invest in the certainty of operational or sales-driven initiatives over the relatively unknown realms of information security.

They trust what they know and what they can see. Unfortunately, this lack of attention and investment in digital security has a direct correlation to the drastic increase in cyber hacks and data breaches.

To put it into laymen terms, CEOs and boards have spent a lot of time and money enticing customers in the front door and making sure the front end of the business works efficiently, all the while leaving the back door wide open for criminals to come in and take what they want.

This was the exact situation Target found itself in back in 2013, when a data breach exposed payment information for 40 million customers. The business decided to have ‘ad-hoc operational cyber security services under a strict contract budget’ only.

During a breach, hackers uploaded malware disguised as existing data centre products. While malware detection software caught each of the uploads and escalated the warning alerts, there was no one within the Target business tasked with reacting to the notifications.

There are a couple of things of particular interest in this case. Firstly, the breach came through a third-party supplier with an external network connection – a small heating and air conditioning company that worked with Target. The malware hack was delivered to them via email.

Secondly, Target had outsourced the vast majority of its security as a managed service to third parties. These companies warned Target of the attack but the lines of authority and responsibility were blurred, confusing Target’s ability to respond.

Forgive the pun, but Target made itself an ‘easy target’. Its decision to save at the front end on digital security resulted in over 90 lawsuits and a legal spend of US$61 million to date. Not exactly a smart saving.

Target is, by no means, alone. In 2015, the Qatar National Bank suffered a data breach that exposed customer passwords, PIN numbers, financial transactions and personal information for more than 100,000 customers. An investigation revealed that hackers accessed the system through an SQL injection flaw in the bank’s website. Sony suffered a number of similar attacks through its web portal, compromising tens of thousands of account holders’ personal details.

In all of these examples, the problem arose because the company outsourced the responsibility and control of their information security to third party providers.

Now, by no means am I saying that outsourcing is evil. When used wisely and within fit-for-purpose activities, outsourcing can save companies a great deal of money and give access to skills and advice that cannot always be supplied internally.

But the minute you outsource responsibility or governance of information security to a third party, you tie a noose around your neck and hand the end of the rope to a vendor.

If your business critical services are provided via a third party, you need to ensure you have people inside your business who not only actively manage external relationships and deliverables. You also need to have someone who takes full responsibility for information security and its governance, and who has a full incident management procedure prepared in the case of a breach.

If you don’t have this in place, you’ve left the back door wide open and a welcome mat out for any criminal or hacker who wants to come in.

Rodney Byfield consults to executives and boards across Australia, specialising in technology strategy, information security, change and program management. He can be contacted at Rodney.byfield@aussieicon.com.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.